Bulgaria-a whole nation hacked

Assignment Help Business Management
Reference no: EM133188123

BULGARIA: A WHOLE NATION HACKED

In July 2019, an anonymous hacker emailed Bulgarian media outlets to proclaim that they had gained access to the database of the Bulgarian tax service. As is often the case with hacks, many of the details are still unclear, but one thing stood out: this was an attack of a staggering scope. Bulgaria has a population of around 7 million people, and the Bulgarian news media reported that the hacker had gained access to the data of 5 million. Analysts quickly concluded that almost everyone who pays taxes in the country had been hacked. The precise data that were accessed is not entirely clear, but it is certain that vital information like names, addresses, data regarding income, and social security numbers had been compromised. 

The incident prompted a flurry of questions in the press and online: Who did it? How did it take place-what vulnerabilities in the tax service's systems did the hacker use to gain access? Could it have been prevented? Were the Bulgarian authorities sloppy, or were their cybersecurity efforts the best that could be expected and the hack unavoidable? Most importantly, what was the impact of this hack, both for the 5 million Bulgarians whose data had been accessed and the Bulgarian authorities? 

The first question has yet to be adequately answered. The Bulgarian police, undoubtedly under severe pressure to produce a suspect, briefly detained Kristiyan Boykov, a young "computer wizard" employed by a firm focusing on cybersecurity. It was believed that he had perpetrated the attack to make the point that Bulgaria needed to do more to protect its data. In 2017, he had exposed vulnerabilities in the website of the Bulgarian Ministry of Education, and he subsequently gave an interview on Bulgarian television explaining that he had exposed these flaws as a matter of "civic duty." 

The then 20-year-old suspect denied all involvement and was released, though prosecutors continue to insist that he is the main culprit, conceding only that others may have been involved as well. They point to an email linked to the hack that was sent from one of the computers in Boykov's possession. When the hack took place, it was assumed to be an attack from outside the country, for the email in which the hack was announced had been sent from a Russian IP address. However, as the investigation progressed, it became clear that this IP address was simply a smokescreen and the email had in fact originated within Bulgaria. 

What vulnerabilities did the hacker exploit? A final answer can only be given once a thorough investigation of the hack is concluded, but cybersecurity experts in Bulgaria quickly concluded that the attack was perpetrated through a system created to file VAT returns from outside Bulgaria. They identified it as an SQL injection, which takes place when corrupted input is fed into a system; instead of performing the tasks that it is supposed to, the system performs the orders it received through the corrupted input. SQL injections are often explained using the metaphor of a fully automated bus: it obeys the commands it gets and will halt at the right stops if it is told to, but if the commands are corrupted, the bus may, for instance, halt every three minutes whether there is a stop or not. 

Could the hack have been prevented? Looking at the statistics, it becomes clear that the Bulgarian hack is not the not the only one to have been perpetrated by using an SQL injection; in 2017, as many as 20 percent of all cyberattacks were carried out by the same method. However, there are ways to protect computer systems against such an attack, and they are not complicated. One of these, is, of course, to use the right software and make sure that the patches for it are applied as soon as they become available. A powerful protection against SQL injection in particular is the use of so-called prepared statements. By using such statements, only certain input is accepted: to use the metaphor of the bus again, you cannot simply, for instance, tell the bus to stop all the time; you can only enter the name of specific streets. 

As always, suspicion is a powerful protective tool in cybersecurity. When dealing with sensitive data, it is important to monitor access to the system that hosts it and, importantly, log and study unsuccessful efforts to send input (which sometimes prove to be an attempt to hack the system). It is also useful to try hacking your own system; if the Bulgarian tax service had enlisted its own "hacking squad," they would surely have found the vulnerability early on and prevented the attack. 

None of these strategies were in place in Bulgaria, according to the country's cybersecurity experts. The hacker boasted of having obtained access to the system several years before the date of the actual attack, and the email announcement to the press contemptuously referred to cybersecurity in Bulgaria as a "parody" of a real one. That may be a harsh judgment, but it is true that many experts had issued the same warnings as the hacker for a long time. Indeed, several months before the tax database hack, the Commercial Registry of Bulgaria was attacked as well. After the tax hack took place, it became clear that the Commercial Registry had yet another vulnerability: anyone could gain access to thousands of social security numbers stored on the website of the Commercial Registry merely by performing a search on Google. 

The scale and depth of the tax hack, however, alerts us to the fact that official databases and systems around the world have been frequently attacked. One of the most spectacular hacks of a government agency took place in February 2016, causing the Central Bank of Bangladesh to lose more than $100 million. The loss of money would have been much higher-the hackers targeted a total of around a billion dollars-but for mistakes in the wiring instructions that caused several orders to transfer money from the bank to be blocked in the United States. Investigations into the causes and perpetrators of this this hack are still ongoing. 

In January 2019, Germany was shocked by one of the biggest data hacks in recent history when very personal details of major politicians (including Chancellor Angela Merkel) were published on Twitter. The German authorities immediately stressed that no really sensitive information had been accessed, but the hack was a huge embarrassment nonetheless, compounded by the fact that the data had been online for several months before their discovery. To add insult to injury, the hack had been perpetrated by a 20-year-old student using common place techniques. 

The Bulgarian case, however, stands apart as the hack had targeted data from almost everyone in the country who pays taxes. But what made cybersecurity in Bulgaria particularly vulnerable-allegedly the real motivation behind the 2019 hack? To begin with, Bulgarian authorities make a distinction between critical infrastructure and non-critical databases. Critical infrastructure is mostly linked to defense facilities and systems. Bulgaria is a member of NATO, so non-members could try to gain access to Bulgarian defense systems to spy on the alliance, hence their categorization as critical. The tax databases were not considered critical and thus received less attention from the state's cybersecurity experts. 

These experts are urging the Bulgarian authorities to step up their efforts to protect their data systems because the impact of such hacks is potentially devastating. Hackers often sell data to criminal gangs, and the data of tax-paying Bulgarians are especially interesting to them as they do not change quickly: people do not change houses or addresses every year and, generally speaking, their income does not fluctuate dramatically either. After the 2019 tax hack, The New York Times cited one cybersecurity expert as saying that the data obtained could easily be sold for about $200 million. The Bulgarian news media have already reported fraudulent schemes mostly targeting the elderly in the country, though it is not clear if there is a clear link with the tax hack. 

Sadly, the risks will remain in place for many years to come, with two in particular standing out: credit card fraud and identity theft. According to some reports in the Bulgarian news media, the hacked income data goes as far back as 2007. It would be easy for criminals to use this data to make lists of people in Bulgaria who are more affluent and use credit cards. Fortunately, credit card use is not widespread in Bulgaria, but if criminals do succeed in perpetrating this kind of fraud, the costs for both the individual and the bank in question may be huge. There is a huge political price for the Bulgarian authorities to pay as well. Tax-paying citizens need to be sure that their data are being kept safe. Few people like paying taxes to begin with, but they should never feel that they put their financial security at risk the next time they file a tax report. 

Bulgaria is a member of the European Union and must abide by the General Data Protection Regulation, a strict set of rules that obliges governments and companies to protect the privacy of citizens and clients. The tax authority was fined €3 million for the breach of data by the country's privacy watchdog. While many of the Bulgarians whose data were illegally accessed may feel that this fine is justified, experts say that this does not solve the problem: Bulgaria needs to take steps to hire more cybersecurity experts and review the security of all data systems. 

However, being a member of the European Union has added another wrinkle to Bulgaria's cybersecurity problems. Cybersecurity experts are in short supply thanks to freedom of movement, as talented IT workers can easily migrate from Bulgaria to other member states of the European Union where the salaries are more competitive than what the Bulgarian government offers. This point was forcefully made by Boyko Borissov, the Prime Minister of Bulgaria, after the attack on the tax database took place. According to him, the Bulgarian state pays cybersecurity experts a monthly salary of around 1,500 Bulgarian leva (approximately €770), but in the private sector the starting salary is at least six times that amount.

Prime Minister Borissov also said that he had considered the idea of outsourcing Bulgarian cybersecurity to experts in other countries, but the costs had proven prohibitive. Aside from the troubling legal implications of giving foreigners access to the sensitive data of Bulgarian citizens, the government would have to trust that the systems of the company it had hired were safe themselves-sadly, that is not always the case. The Bulgarian government is now working on a project to form special cybersecurity unit consisting of experts who are paid well above the average Bulgarian salary.

Case Questions: 

1. Identify and describe the security and control issues related to the hacking technique discussed in this case 

2. What managerial issues are faced by Bulgarian civil servants in charge of cybersecurity? 

3. Discuss the potential impact of the Bulgarian tax hack. 

4. How can data breaches like this be prevented?

Reference no: EM133188123

Questions Cloud

What would you do with the remaining worth of raw materials : You purchased raw materials worth $5,000, but materials worth only $4,500 were used in manufacturing the pizzas sold in February. What would you do
Purpose of dlto for issuing the stock rights offer : Conduct research on what transpired with the Php 8.0 billion stock rights offer of DITO CMO Holdings Corporation in January of this year, which was underwritten
Create and explainbasic use of classes and use variables : Will test your ability to create and explainbasic use of classes and use variables - demonstrate your knowledge of overloading constructors and methods
How much is the benefit expense in profit or loss : How much is the benefit expense in 2022 profit or loss and the amount of prepaid (accrued) banefit as of December 31, 2022
Bulgaria-a whole nation hacked : In July 2019, an anonymous hacker emailed Bulgarian media outlets to proclaim that they had gained access to the database of the Bulgarian tax service. As is of
Communication theory-organizational communication research : locate an academic journal article that uses a traditionalist, interpretive, or critical-interpretivist perspective to examine a communication issue in organiza
Calculate the net capital gain : Calculate the Net Capital Gain, if any, to be included as Mary's assessable income for the year ending 30 June 2021
What is ethical behaviour and what ethical considerations : Do the cost benefit analysis for 2 years to recommend at least one (1) security measure againt each assestto mitigate the risk indentifed
What amount of investment income should be reported : What amount of investment income should be reported on Johnson's income statement for the year ended December 31, 2022

Reviews

Write a Review

Business Management Questions & Answers

  Caselet on michael porter’s value chain management

The assignment in management is a two part assignment dealing 1.Theory of function of management. 2. Operations and Controlling.

  Mountain man brewing company

Mountain Man Brewing, a family owned business where Chris Prangel, the son of the president joins. Due to increase in the preference for light beer drinkers, Chris Prangel wants to introduce light beer version in Mountain Man. An analysis into the la..

  Mountain man brewing company

Mountain Man Brewing, a family owned business where Chris Prangel, the son of the president joins. An analysis into the launch of Mountain Man Light over the present Mountain Man Lager.

  Analysis of the case using the doing ethics technique

Analysis of the case using the Doing Ethics Technique (DET). Analysis of the ethical issue(s) from the perspective of an ICT professional, using the ACS Code of  Conduct and properly relating clauses from the ACS Code of Conduct to the ethical issue.

  Affiliations and partnerships

Affiliations and partnerships are frequently used to reach a larger local audience? Which options stand to avail for the Hotel manager and what problems do these pose.

  Innovation-friendly regulations

What influence (if any) can organizations exercise to encourage ‘innovation-friendly' regulations?

  Effect of regional and corporate cultural issues

Present your findings as a group powerpoint with an audio file. In addition individually write up your own conclusions as to the effects of regional cultural issues on the corporate organisational culture of this multinational company as it conducts ..

  Structure of business plan

This assignment shows a structure of business plan. The task is to write a business plane about a Diet Shop.

  Identify the purposes of different types of organisations

Identify the purposes of different types of organisations.

  Entrepreneur case study for analysis

Entrepreneur Case Study for Analysis. Analyze Robin Wolaner's suitability to be an entrepreneur

  Forecasting and business analysis

This problem requires you to apply your cross-sectional analysis skills to a real cross-sectional data set with the goal of answering a specific research question.

  Educational instructional leadership

Prepare a major handout on the key principles of instructional leadership

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd